Hi,

Our Customer engaged pulse secure to perform an IT security assessment on secure code review and got back the reports ( attached). Reports say that there are some security vulnerabilities as follows:

1. Dynamic code evaluation: Code Injection
2. HTML5: Overly permissive Message Posting Policy
3. Password Management: Empty Password
4. Key Management: Hardcoded Encryption Key

Summary for Item1   :Many modern programming languages allow dynamic interpretation of source instructions. This capability allows programmers to perform dynamic instructions based on input received from the user. Code injection vulnerabilities occur when the programmer incorrectly assumes that instructions supplied directly from the user will perform only innocent operations, such as performing simple calculations on active user objects or otherwise modifying the user's state. However, without proper validation, a user might specify operations the programmer does not intend.

Recommendation:

Avoid dynamic code interpretation whenever possible. If your program's functionality requires code to be interpreted dynamically, the likelihood of attack can be minimized by constraining the code your program will execute dynamically as much as possible, limiting it to an application- and context-specific subset of the base programming language.

If dynamic code execution is required, unvalidated user input should never be directly executed and interpreted by the application. Instead, use a level of indirection: create a list of legitimate operations and data objects that users are allowed to specify, and only allow users to select from the list. With this approach, input provided by users is never executed directly.

Summary for Item2  :

File:qsSimpleList/qsSimpleList.js One of the new features of HTML5 is cross-document messaging. The feature allows scripts to post messages to other windows. The corresponding API allows the user to specify the origin of the target window. However, caution should be taken when specifying the target origin because an overly permissive target origin will allow a malicious script to communicate with the victim window in an inappropriate way, leading to spoofing, data theft, relay and other attacks.

Recommendation:

Do not use the * as the value of the target origin. Instead, provide a specific target origin.

Summary for Item3  :

File:Qlik Sense_files/client_002.js 

It is never a good idea to have an empty password. It also makes fixing the problem extremely difficult once the code is in production. The password cannot be changed without patching the software. If the account protected by the empty password is compromised, the owners of the system will be forced to choose between security and availability.

Recommendation:

Passwords should never be empty and should generally be obfuscated and managed in an external source. Storing passwords in plaintext anywhere on the web site allows anyone with sufficient permissions to read and potentially misuse the password. For JavaScript calls that require passwords, it is better to prompt the user for the password at connection time.

Summary for Item4  :

Any suggestions on this.

Thanks,

Sarojinidevi